/*
* Copyright 2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.cloudfoundry.community.servicebroker.s3.service;
import org.cloudfoundry.community.servicebroker.s3.policy.BucketGroupPolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagement;
import com.amazonaws.services.identitymanagement.model.*;
public abstract class Iam {
private static final Logger logger = LoggerFactory.getLogger(Iam.class);
private final AmazonIdentityManagement iam;
private final BucketGroupPolicy bucketGroupPolicy;
private final String groupPath;
private final String groupNamePrefix;
private final String policyNamePrefix;
private final String userPath;
private final String userNamePrefix;
@Autowired
public Iam(AmazonIdentityManagement iam, BucketGroupPolicy bucketGroupPolicy,
@Value("${GROUP_PATH:/cloud-foundry/s3/}") String groupPath,
@Value("${GROUP_NAME_PREFIX:cloud-foundry-s3-}") String groupNamePrefix,
@Value("${POLICY_NAME_PREFIX:cloud-foundry-s3-}") String policyNamePrefix,
@Value("${USER_PATH:/cloud-foundry/s3/}") String userPath,
@Value("${USER_NAME_PREFIX:cloud-foundry-s3-}") String userNamePrefix) {
this.iam = iam;
this.bucketGroupPolicy = bucketGroupPolicy;
this.groupPath = groupPath;
this.groupNamePrefix = groupNamePrefix;
this.policyNamePrefix = policyNamePrefix;
this.userPath = userPath;
this.userNamePrefix = userNamePrefix;
}
public BucketGroupPolicy getBucketGroupPolicy() {
return bucketGroupPolicy;
}
public String getGroupPath() {
return groupPath;
}
public String getGroupNamePrefix() {
return groupNamePrefix;
}
public String getPolicyNamePrefix() {
return policyNamePrefix;
}
public String getUserPath() {
return userPath;
}
public String getUserNamePrefix() {
return userNamePrefix;
}
public AccessKey createAccessKey(User user) {
CreateAccessKeyRequest request = new CreateAccessKeyRequest().withUserName(user.getUserName());
CreateAccessKeyResult result = iam.createAccessKey(request);
return result.getAccessKey();
}
public void addUserToGroup(User user, String groupName) {
logger.info("Adding user '{}' to group '{}'", user.getUserName(), groupName);
AddUserToGroupRequest request = new AddUserToGroupRequest();
request.setGroupName(groupName);
request.setUserName(user.getUserName());
iam.addUserToGroup(request);
}
public Group createGroup(String groupName) {
CreateGroupRequest request = new CreateGroupRequest(groupName);
request.setPath(groupPath);
CreateGroupResult result = iam.createGroup(request);
return result.getGroup();
}
public void applyGroupPolicy(String groupName, String policyName, String bucketName) {
// https://forums.aws.amazon.com/message.jspa?messageID=356160
PutGroupPolicyRequest request = new PutGroupPolicyRequest();
logger.info("Putting policy document on group '{}': {}", groupName,
bucketGroupPolicy.policyDocumentForBucket(bucketName));
request.setGroupName(groupName);
request.setPolicyName(policyName);
request.setPolicyDocument(bucketGroupPolicy.policyDocumentForBucket(bucketName));
iam.putGroupPolicy(request);
}
public void deleteGroupPolicy(String groupName, String policyName) {
logger.info("Deleting policy document for group '{}'", groupName);
DeleteGroupPolicyRequest request = new DeleteGroupPolicyRequest(groupName, policyName);
iam.deleteGroupPolicy(request);
}
public void deleteGroup(String groupName) {
DeleteGroupRequest request = new DeleteGroupRequest(groupName);
iam.deleteGroup(request);
}
public User createUser(String userName) {
CreateUserRequest request = new CreateUserRequest(userName).withPath(userPath);
CreateUserResult result = iam.createUser(request);
return result.getUser();
}
/**
* The user must not be a member of any groups or have any access keys.
*
* @param userName
*/
public void deleteUser(String userName) {
DeleteUserRequest request = new DeleteUserRequest(userName);
iam.deleteUser(request);
}
public void removeUserFromGroup(String userName, String groupName) {
logger.info("Removing user '{}' from group '{}'", userName, groupName);
// iam.listGroupsForUser(listGroupsForUserRequest)
RemoveUserFromGroupRequest removeUserFromGroupRequest = new RemoveUserFromGroupRequest(groupName, userName);
iam.removeUserFromGroup(removeUserFromGroupRequest);
}
public void deleteUserAccessKeys(String userName) {
logger.info("Deleting all access keys for user '{}'", userName);
ListAccessKeysRequest accessKeysRequest = new ListAccessKeysRequest();
accessKeysRequest.setUserName(userName);
ListAccessKeysResult accessKeysResult = iam.listAccessKeys(accessKeysRequest);
for (AccessKeyMetadata keyMeta : accessKeysResult.getAccessKeyMetadata()) {
DeleteAccessKeyRequest request = new DeleteAccessKeyRequest(userName, keyMeta.getAccessKeyId());
iam.deleteAccessKey(request);
}
// ListAccessKeysResult has truncation in it but there doesn't seem to
// be a way to use it
}
}
